Skip directly to content

Feed aggregator

SA-CONTRIB-2014-026 - Mime Mail - Access bypass

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 19:13
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-026
  • Project: Mime Mail (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-February-26
  • Security risk: Not critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The MIME Mail module allows processing of incoming MIME-encoded e-mail messages with embedded images and attachments.

The default key for the authentication of incoming messages is generated from a random number. On some platforms (such as Windows) the maximum value of this number is only 32767 which makes the generated key particularly vulnerable to a brute force attack.

This vulnerability is mitigated by the fact that the processing of incoming messages needs to be enabled on the site and the default key can be arbitrary changed by the site administrator.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Mime Mail 6.x-1.x versions prior to 6.x-1.3.
  • Mime Mail 7.x-1.x versions prior to 7.x-1.0-beta2.

Drupal core is not affected. If you do not use the contributed Mime Mail module, there is nothing you need to do.

Solution

Install the latest version:

These releases include a stronger authentication process for incoming messages which is backward incompatible. If you are using this feature, make sure to use the HMAC method with the new key generated during the update process to authenticate your messages.

Also see the Mime Mail project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-025 - Open Omega - Access Bypass

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 17:23
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-025
  • Project: Open Omega (third-party theme)
  • Version: 7.x
  • Date: 2014-February-26
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This theme is a sub theme of omega used as as a sample theme for the open Public Distribution.

The theme doesn't sufficiently check the users menu access when building the header and footer menus, so that it can expose the title and path of restricted items in the menu.

This vulnerability is mitigated by the fact that that it is only present when this menu has items with restricted access that differ by role.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • openomega 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Open Omega module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Open Omega project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-024 - Content Lock - CSRF

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 16:28
Description

This module prevents people from editing the same content at the same time. It adds a locking layer to nodes. It does not protect from CSRF.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • All 6.x Versions
  • All 7.x Versions

Drupal core is not affected. If you do not use the contributed Content locking (anti-concurrent editing) module, there is nothing you need to do.

Solution

Uninstall the module, it is no longer maintained .

Also see the Content locking (anti-concurrent editing) project page.

Reported by Fixed by

There is no fix for this issue.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-023 - Project Issue File Review - XSS

Drupal Contrib Security Announcements - Wed, 02/26/2014 - 16:10
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-023
  • Project: Project Issue File Review (third-party module)
  • Version: 6.x
  • Date: 2014-February-26
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Project Issue File Review (PIFR) module provides an abstracted client-server model and plugin API for performing distributed operations such as code review and testing, with a focus on supporting Drupal development.

Two scenarios were identified where the module does not sufficiently sanitize user provided input, exposing the 'server' component of the module to cross-site scripting vulnerabilities.

The first scenario is mitigated by the fact that an attacker must have a role with the 'manage PIFR environments' administrative permission.

The second scenario is mitigated by the fact that an attacker must be able to initiate testing of a patch specially crafted to exploit the vulnerability on the PIFR testing environment, have the testing execute successfully on a PIFR client, and have the client provide the testing results back to the PIFR server component.

As one common purpose of this module is to provide validation and testing of user-supplied patches, users of the PIFR module should always consider the 'PIFR client' component of this module as insecure and untrusted, by design. The 'PIFR client' component should always be maintained in a separate network environment, isolated from the 'PIFR server' component or other critical infrastructure.

There have been no known exploits of this vulnerability observed or reported on any servers running the PIFR module, including those within Drupal.org's automated testing environment.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Project_Issue_File_Review 6.x-2.x versions prior to 6.x-2.17.

Drupal core is not affected. If you do not use the contributed Project Issue File Review module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the PIFR module for Drupal 6.x, upgrade to Project Issue File Review 6.x-2.17. Be sure to review and consider the associated release notes for all intermediary releases when upgrading.

Also see the Project Issue File Review project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-022 - Slickgrid - Access bypass

Drupal Contrib Security Announcements - Wed, 02/19/2014 - 15:36
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-22
  • Project: Slickgrid (third-party module)
  • Version: 7.x
  • Date: 2014-February -22
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Slickgrid module is an implementation of the jQuery slickgrid plugin, a lightening fast JavaScript grid/spreadsheet. It defines a slickgrid view style, so all data can be output as an editable grid.

The module doesn't check access sufficiently, allowing users to edit and change field values of nodes they should not have access to change.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Slickgrid 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed Slickgrid module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Slickgrid project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-021 - Maestro - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/19/2014 - 14:57
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-021
  • Project: Maestro (third-party module)
  • Version: 7.x
  • Date: 2014-February-19
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Maestro module enables you to create complex workflows, automating business processes.
The module doesn't sufficiently filter Role or Organic Group names when displaying them in the workflow details.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create Drupal Roles or Organic Groups.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Maestro 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Maestro module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Maestro project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-020 - Drupal Commons - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 21:13
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-020
  • Project: Drupal Commons (third-party distribution)
  • Version: 7.x
  • Date: 2014-02-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

Drupal Commons is a ready-to-use solution for building either internal or external communities. It provides a complete social business software solution for organizations. Drupal Commons displays an "activity stream" containing messages about actions users take on the site.

In some cases, messages about content creation are not properly sanitized, leading to cross site scripting in those messages.

The vulnerability is mitigated in that only certain kinds of activity stream messages are affected, and not all arbitrary script can be executed.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal Commons 7.x-3.x versions prior to 7.x-3.9.

Drupal core is not affected. If you do not use the contributed Drupal Commons distribution, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commons project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-019 - Easy Social - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 19:58
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-019
  • Project: Easy Social (third-party module)
  • Version: 7.x
  • Date: 2014-February-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module enables you to add social sharing widgets to your content and pages.
The module doesn't sufficiently validate block titles when a user creates a custom block from within the module's admin interface.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer easy social".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Easy Social 7.x-2.x versions prior to 7.x-2.11.

Drupal core is not affected. If you do not use the contributed Easy Social module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Easy Social project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-018 - Webform - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 16:45
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-018
  • Project: Webform (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-February-12
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Webform module enables you to create forms which can be used for surveys, contact forms or other data collection throughout your site.

The module doesn't sufficiently sanitize field label titles when two fields have the same form_key, which can only be managed by carefully crafting the webform structure via a specific set of circumstances.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "create webform content".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform 6.x-3.x versions prior to 6.x-3.19.
  • Webform 7.x-3.x versions prior to 7.x-3.19.
  • Webform 7.x-4.x versions prior to 7.x-4.0-beta2.

Drupal core is not affected. If you do not use the contributed Webform module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Webform project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-017- Image Resize Filter - Denial of Service (DOS)

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 16:35
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-017
  • Project: Image Resize Filter (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-February-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Denial of Service (DOS)
Description

This module enables you to resize images based on the HTML contents of a post. Images with specified height and width properties that differ from the original image result in a resized image being created.

The module doesn't limit the number of resized images per post or user, which could allow a user to post a large number of images that need to be resized within a single piece of content. This could cause the server to become overwhelmed by requests to resize images.

This vulnerability is mitigated by the fact that an attacker must have a role that allows them to post content that utilizes the image resize filter.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Image Resize Filter 6.x-1.x versions prior to 6.x-1.14.
  • Image Resize Filter 7.x-1.x versions prior to 7.x-1.14.

Drupal core is not affected. If you do not use the contributed Image Resize Filter module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Image Resize Filter project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-016 - Mayo Theme - XSS Vulnerability

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 16:25
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-016
  • Project: MAYO (third-party theme)
  • Version: 7.x
  • Date: 2014-02-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The theme settings allow you to link to a header background file.
A URL could be entered that was not properly sanitized leading to XSS vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer themes".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • MAYO Theme 7.x-1.x versions prior to 7.x-1.3.

Drupal core is not affected. If you do not use the contributed MAYO theme, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the theme MAYO for Drupal 7.x, upgrade to MAYO 7.x-1.3

Also see the MAYO project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-015 - FileField - Access Bypass

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 16:23
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-015
  • Project: FileField (third-party module)
  • Version: 6.x
  • Date: 2014-02-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

FileField module allows users to upload files with in conjunction with the Content Construction Kit (CCK) module in Drupal 6.

The module doesn't sufficiently check permissions on revisions when determining if a user should have access to a particular file attached to that revision. A user could gain access to private files attached to revisions when they don't have access to the corresponding revision.

This vulnerability is mitigated by the fact that an attacker must have access to upload files through FileField module while creating content, and the site must be using a non-core workflow module that allows users to create unpublished revisions of content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • FileField 6.x-3.x versions prior to 6.x-3.12.

Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.

Solution

Install the latest version:

Also see the FileField project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-014 - Webform Validation - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 16:10
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-014
  • Project: Webform Validation (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-February-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

The Webform Validation module enables you to add additional form validation rules to Webforms created by the Webform module.
The module doesn't sufficiently filter component name text before display, opening up the possibility of cross site scripting.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit Webform content.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Webform Validation 6.x-1.x versions prior to 6.x-1.6.
  • Webform Validation 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Webform Validation module, there is nothing you need to do.

Solution

Install the latest version:

The only changes in these new versions are the fixes for this issue.

Also see the Webform Validation project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-013- Chaos tool suite (ctools) - Access Bypass

Drupal Contrib Security Announcements - Wed, 02/12/2014 - 15:48
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-013
  • Project: Chaos tool suite (ctools) (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-02-12
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

This module provides content editors with an autocomplete callback for entity titles, as well as an ability to embed content within the Chaos tool suite (ctools) framework.

Prior to this version, ctools did not sufficiently check access grants for various types of content other than nodes. It also didn't sufficiently check access before displaying content with the relationship plugin.

These vulnerabilities are mitigated by the fact that you must be using entities other than node or users for the autocomplete callback, or you must be using the relationship plugin and displaying the content (e.g. in panels).

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Chaos tool suite (ctools) 6.x-1.x versions prior to 6.x-1.11.
  • Chaos tool suite (ctools) 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Chaos tool suite (ctools) module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Chaos tool suite module for Drupal 6.x, upgrade to ctools 6.x-1.11
  • If you use the Chaos tool suite module for Drupal 7.x, upgrade to ctools 7.x-1.4

Also see the Chaos tool suite (ctools) project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-012- Modal Frame API - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 02/05/2014 - 21:18
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-012
  • Project: Modal Frame API (third-party module)
  • Version: 6.x
  • Date: 2014-February-05
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module enables provides an API to render an iframe within a modal dialog based on the jQuery UI Dialog plugin. You should not install this module unless another module requires you to, or you wish to use it for your own custom modules.

The module doesn't sufficiently filter user supplied text.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • modalframe 6.x-1.8 and prior versions

Drupal core is not affected. If you do not use the contributed Modal Frame API module, there is nothing you need to do.

Solution

Uninstall the module. It is no longer maintained.

Also see the Modal Frame API project page.

Reported by
  • Erich Beyrent
Fixed by

Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-011 - Push Notifications - Information Disclosure

Drupal Contrib Security Announcements - Wed, 02/05/2014 - 18:45
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-011
  • Project: Push Notifications (third-party module)
  • Version: 7.x
  • Date: 2014-February-05
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

This module enables the delivery of push notifications to iOS and Android devices.

The module doesn't sufficiently randomize the certificate filenames required for Apple's Push Notification service or protect the files from being publicly accessible, which could allow an attacker to acquire the certificates and broadcast push notifications to the target's user base.

This vulnerability primarily affects sites that did not follow the general security best practice of placing certificates into a directory outside of the webroot and did not use password-protected certificate files.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • push_notifications 7.x-1.x versions prior to 7.x-1.1

Drupal core is not affected. If you do not use the contributed Push Notifications module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the push_notifications module for Drupal 7.x and your APNS certificate files are stored in the default directory, upgrade to push_notifications 7.x-1.1
  • Navigate to the configuration page for the push_notifications module (admin/config/services/push_notifications/configure) and click the "Generate new certificate string" button to generate a random filename. Then, rename your APNS certificates according to the instructions on the push notification configuration page.

Also see the Push Notifications project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-010 Services - Access Bypass and Privilege Escalation

Drupal Contrib Security Announcements - Wed, 02/05/2014 - 15:57
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-010
  • Project: Services (third-party module)
  • Version: 7.x
  • Date: 2014-February-05
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Services module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.

User update access bypass vulnerability

An authenticated user is able to assign additional roles to themselves, which means they can escalate their privileges by assigning an administrative role.

This vulnerability is mitigated by the fact that the user must be able to log in on the site, the update operation on the user resource configuration must be enabled, and a site must have an role with more permissions than the authenticated user.

Comment access bypass vulnerability

As an authenticated user an attacker with the permission to post comments is able to update other users' comments.

This vulnerability is mitigated by the fact that the update operation on the comment resource configuration must be enabled.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Services 7.x-3.x versions prior to 7.x-3.6.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Services project page.

Reported by
  • The User update access bypass vulnerability was reported by Fredrik Lassen.
  • The Comment access bypass vulnerability was reported by wedge.
Fixed by
  • The User update access bypass vulnerability was fixed by Fredrik Lassen.
  • The Comment access bypass vulnerability was fixed by Kyle Browning, the module maintainer.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-009 - Tagadelic - Information Disclosure

Drupal Contrib Security Announcements - Mon, 02/03/2014 - 02:06
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-009
  • Project: Tagadelic (third-party module)
  • Version: 6.x
  • Date: 2014-February-05
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Information Disclosure
Description

This module provides an API and a few simple turnkey modules, which allows you to easily create tagclouds, weighted lists, search-clouds and such.

The 6.x-1.x version does not account for node access modules, thus leading to information being disclosed.

This vulnerability is mitigated by the fact that a site must be using a node access module.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Tagadelic 6.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Tagadelic module, there is nothing you need to do.

Solution

If you use the Tagadelic module for Drupal 6.x, upgrade to Tagadelic 6.x-1.5 and then disable node access modules, such as taxonomy_access and content_access.

Also see the Tagadelic project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CONTRIB-2014-008 - Tribune - Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 01/29/2014 - 21:22
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-008
  • Project: Tribune (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-January-29
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

A tribune is a type of chatroom.

The module doesn't sufficiently filter user provided text from Tribune node titles.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create a Tribune node.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Tribune 6.x-1.x versions.
  • Tribune 7.x-3.x versions.

Drupal core is not affected. If you do not use the contributed Tribune module, there is nothing you need to do.

Solution

Remove the module or otherwise mitigate the issue.

Also see the Tribune project page.

Reported by Fixed by

Not applicable.

Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-007 - Services - Multiple access bypass vulnerabilities

Drupal Contrib Security Announcements - Wed, 01/29/2014 - 21:21
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-007
  • Project: Services (third-party module)
  • Version: 7.x
  • Date: 2014-January-29
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple access bypass vulnerabilities
Description

This module enables you to expose an API to third party systems using REST, XML-RPC or other protocols.

The form API provides a method for developers to submit forms programmatically using the function drupal_form_submit(). During programmatic form submissions, all access checks are deliberately bypassed, and any form element may be submitted regardless of the current user's access level.

To facilitate this, a new, optional $form_state['programmed_bypass_access_check'] element has been added to the Drupal 7 form API. If this is provided and set to FALSE, drupal_form_submit() will perform the normal form access checks against the current user while submitting the form, rather than bypassing them.

Services relies heavily on programmatic form submission and therefore needs to use this new $form_state['programmed_bypass_access_check'] so that access control parameters and hooks are performed for untrusted users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Services 7.x-3.x versions prior to 7.x-3.5.

Drupal core is not affected. If you do not use the contributed Services module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Services project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Pages